Hospitals and other healthcare providers are facing significant financial and fiscal pressures. The recession and the sluggish recovery reduced personal incomes and, therefore, the demand (if not the actual need) for healthcare services. Pharmaceutical therapies and ambulatory surgical centers had previously reduced hospital admissions and revenues. Reduced reimbursements by Medicare, Medicaid, and private insurers have further suppressed revenues. It is not surprising, therefore, that even prestigious and well-funded research medical centers like Vanderbilt University and the Cleveland Clinic are significantly reducing their workforces to shave operating budgets.[1]
Another source of financial pressure is the increasingly vigorous enforcement of health information privacy and security laws, particularly HIPAA. The HITECH Act of 2009 substantially increased the penalties for HIPAA violations.[2] Leon Rodriguez, the director of the Office of Civil Rights (“OCR”)at the U.S. Department of Health and Human Services has repeatedly stated that HIPAA enforcement will be a top priority at OCR.
Increased penalties and a vigorous enforcement of HIPAA has significantly impacted many healthcare providers. Idaho State University has paid $400,000 penalty and entered into a corrective action plan with OCR to resolve an alleged HIPAA violation.[3] Wellpoint, Inc., a managed care company, paid OCR $1.7 million to settle a potential action for a breach of the protected health information (“PHI) of 612,402 individuals and entered into a corrective action plan.[4] Cignet Health paid a $4.3 million fine for failing to make protected health information available to patients as required by HIPAA.[5] Less significant violations are not going unnoticed. Hospice of North Idaho paid a $50,000 fine in connection with a relatively small data breach.[6] According to Leon Rodriguez, as of May 23, 2013, OCR had collected $14,883,345 in recoveries for HIPAA breaches since 2010.[7]
There is no private cause of action under HIPAA. Creative plaintiff’s counsel, therefore, have had to look to state law for theories of recovery for HIPAA violations. As a result, Healthcare providers now face yet another source of financial pressure. For example, a Walgreen’s customer sued both Walgreen’s and a Walgreen’s pharmacist in an Indiana state court for damages arising out of the unauthorized access and disclosure of her PHI. The customer was a former girlfriend of the pharmacist’s husband. The pharmacist accessed the customer’s PHI and disclosed it to her (the pharmacist’s) husband, who allegedly used it to intimidate the customer. The customer asserted common law claims against Walgreen’s for negligently training and supervising the pharmacist and common tort claims against the pharmacist for breach of privacy. On July 26, 2013, a jury awarded the customer a judgment of $1,440,000 against Walgreen’s and the pharmacist. Walgreen’s is appealing the verdict. However, even if the judgment is reversed, Walgreen’s will no doubt have incurred significant legal expenses as a result of the pharmacist’s HIPAA violation.
Advocate Health and Hospital Corp. (“Advocate”) of Downers Grove, Illinois is potentially facing even bigger problems. Four laptops containing the PHI of 4 million individuals were stolen from Advocate. Advocate is now facing three putative class actions: one in the United States Bankruptcy Court for the Northern District of Illinois and two in the Circuit Court of Cook County, Illinois.
The federal complaint[8], asserts claims for (i) willful violations of the Fair Credit Reporting Act; (ii) negligent violation of the Fair Credit Reporting Act; (iii) negligence; and (iv) invasion of privacy by public disclosure of private facts. One Cook County complaint[9], , asserts claims for (i) breach of the contract allegedly evidenced by Advocate’s Notice of Privacy Practices (“NOPP”); (ii) breach of the contract allegedly implied in the NOPP; (iii) unjust enrichment; and (iv) breach of fiduciary duty. The second Cook County complaint,[10] asserts claims for (i) negligence; (ii) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; (iii) invasion of privacy; (iv) intentional infliction of emotional distress; and (v) violation of the Illinois Consumer Fraud Act. It is by no means certain that the complaints will survive motions to dismiss or that the named plaintiffs will succeed in obtaining class certification. Nevertheless, Advocate will almost certainly incur significant legal expenses in resolving the suits and may have to make significant payments and pay significant civil monetary penalties as a result of the theft.
Some states are making it easier to bring litigation asserting claims arising out of HIPAA violations. Most recently, the California Secretary of State has allowed the signature collection to commence on a ballot initiative, the Personal Protection Act, that would amend California’s constitution to defined personal identifying information (including health-related information) and set standards for the collection and protection of that information. The summary to the act makes it clear that a private cause of action is contemplated.
[1] See Davidson, P and Hansen, B., A Job Engine Sputters as Hospitals Cut Staff, http://www.usatoday.com/story/ money/business/2013/10/13/ hospital-job-cuts/2947929/.
[2] See 45 CFR 160.404(b)(2).
[3] http://www.hhs.gov/ ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html
[4] http://www.hhs.gov/ ocr/ privacy/hipaa/ enforcement/examples/wellpoint-agreement.html
[5] http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html.
[6] http://www.hhs.gov/ocr/ privacy/hipaa/enforcement/examples/wellpoint-agreement.html.
[7] http://healthitsecurity.com/ 2013/05/23/ocr-talks-data-breach-avoidance-best-practices/.
[8] Erica Tierney et al, v. Advocate Health and Hospitals Corp et al. (N.D. Ill. Civil Action No. 13-06237).
[9] Alex Lozada, et al., v. Advocate Health and Hospitals Corporation, et al. (Case No. 13-CH-20390).
[10] Pierre Petrich, et al. v. Advocate Health and Hospitals Corporation, et al. (Case No. 13-L-009984).